SCA: security update for org.apache.commons:commons-compress (GHSA-cgwf-w82q-5jrr)

medium Tenable Self-Hosted Container Security Plugin ID 413899

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in
TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to
upgrade to version 1.24.0, which fixes the issue. A third party can create a malformed TAR file by
manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a
denial of service issue via CPU consumption. In version 1.22 of Apache Commons Compress, support was added
for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX
extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds
and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”,
“mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header
values. Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known
algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue
# JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with
a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a
file modification time header, and the parsing of files with these headers will take hours instead of
seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to
CVE-2012-2098 [5]. [1]: https://issues.apache.org/jira/browse/COMPRESS-612 [2]:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 [3]:
https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html [4]:
https://bugs.openjdk.org/browse/JDK-6560193 [5]: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2012-2098 Only applications using CompressorStreamFactory class (with auto-
detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since
this code was introduced in v1.22, only that version and later versions are impacted. (CVE-2023-42503)

See Also

https://github.com/advisories/GHSA-cgwf-w82q-5jrr

Plugin Details

Severity: Medium

ID: 413899

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.63

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-42503

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/14/2023

Vulnerability Publication Date: 9/14/2023

Reference Information

CVE: CVE-2023-42503